Re: [ietf-dkim] What shows up with duplicated headers?
Here's another batch of spam with extra From or Subject lines. I see the same thing as last time, the extra subjects are all the same, and the extra From lines look like bugs, not attempts to evade filters. The spam with 6,981 From lines is impressive in a wacky way. R's, John http://spample.iecc.com/oko/13513473 !!! from 2 subj 1 http://spample.iecc.com/mai/13527118 !!! from 1 subj 2 same http://spample.iecc.com/wnq/13527333 !!! from 2 subj 1 http://spample.iecc.com/xdg/13644660 !!! from 2 subj 1 http://spample.iecc.com/ydd/13658310 !!! from 2190 subj 1 http://spample.iecc.com/yic/13695408 !!! from 1 subj 2 same http://spample.iecc.com/gkj/13764008 !!! from 6981 subj 1 http://spample.iecc.com/joi/13772001 !!! from 2 subj 1 http://spample.iecc.com/sxt/13794463 !!! from 840 subj 1 http://spample.iecc.com/euf/13894583 !!! from 2 subj 1 http://spample.iecc.com/gix/13906201 !!! from 1 subj 2 same http://spample.iecc.com/bds/13961106 !!! from 2 subj 1 http://spample.iecc.com/jha/14009391 !!! from 2 subj 1 http://spample.iecc.com/ptl/14009501 !!! from 1 subj 2 same http://spample.iecc.com/ndg/14053973 !!! from 1 subj 2 same http://spample.iecc.com/ddz/14108277 !!! from 1 subj 2 same http://spample.iecc.com/pes/14209695 !!! from 2 subj 1 http://spample.iecc.com/kfd/14263497 !!! from 1 subj 2 same http://spample.iecc.com/qdg/14263705 !!! from 1 subj 2 same http://spample.iecc.com/eyp/14268312 !!! from 1 subj 2 same http://spample.iecc.com/uib/14277824 !!! from 1 subj 2 same http://spample.iecc.com/mcj/14278398 !!! from 1 subj 2 same http://spample.iecc.com/rwz/14317049 !!! from 1 subj 2 same http://spample.iecc.com/syi/14317050 !!! from 1 subj 2 same http://spample.iecc.com/ewh/14337217 !!! from 1 subj 2 same http://spample.iecc.com/keh/14349846 !!! from 1 subj 2 same http://spample.iecc.com/jtl/14351633 !!! from 1 subj 2 same http://spample.iecc.com/hqw/14360328 !!! from 1 subj 2 same http://spample.iecc.com/slz/14363168 !!! from 1 subj 2 same http://spample.iecc.com/oqu/14370756 !!! from 1 subj 2 same http://spample.iecc.com/shu/14370764 !!! from 1 subj 2 same http://spample.iecc.com/mqz/14390820 !!! from 1 subj 2 same http://spample.iecc.com/dxb/14392591 !!! from 1 subj 2 same http://spample.iecc.com/vcw/14393557 !!! from 1 subj 2 same http://spample.iecc.com/gkj/14393579 !!! from 1 subj 2 same http://spample.iecc.com/vef/14409312 !!! from 1 subj 2 same http://spample.iecc.com/xus/14410639 !!! from 1 subj 2 same http://spample.iecc.com/vta/14466945 !!! from 2 subj 1 http://spample.iecc.com/tvf/14477920 !!! from 1 subj 2 same http://spample.iecc.com/nbq/14512851 !!! from 2 subj 1 http://spample.iecc.com/wbt/14514852 !!! from 977 subj 1 http://spample.iecc.com/muf/14519415 !!! from 385 subj 1 http://spample.iecc.com/thg/14542167 !!! from 2 subj 1 http://spample.iecc.com/scg/14542263 !!! from 2 subj 1 http://spample.iecc.com/bia/14572469 !!! from 1 subj 2 same http://spample.iecc.com/hwd/14574906 !!! from 1 subj 2 same http://spample.iecc.com/eeu/14595557 !!! from 2 subj 1 http://spample.iecc.com/wsf/14601350 !!! from 2 subj 1 http://spample.iecc.com/kyr/14602820 !!! from 2 subj 1 http://spample.iecc.com/hsg/14607445 !!! from 2 subj 1 http://spample.iecc.com/pva/14609226 !!! from 2 subj 1 http://spample.iecc.com/mur/14632131 !!! from 1 subj 2 same http://spample.iecc.com/mua/14644824 !!! from 2 subj 1 http://spample.iecc.com/ych/14661976 !!! from 2 subj 1 http://spample.iecc.com/fuf/14689113 !!! from 1 subj 2 same http://spample.iecc.com/dsd/14723463 !!! from 1 subj 2 same http://spample.iecc.com/knx/14728696 !!! from 1 subj 2 same http://spample.iecc.com/mux/14728748 !!! from 1 subj 2 same http://spample.iecc.com/djd/14728829 !!! from 1 subj 2 same http://spample.iecc.com/epb/14728832 !!! from 1 subj 2 same http://spample.iecc.com/jdy/14740113 !!! from 1 subj 2 same http://spample.iecc.com/mxi/14750851 !!! from 2 subj 1 http://spample.iecc.com/qbm/14754069 !!! from 1 subj 2 same http://spample.iecc.com/yhz/14763567 !!! from 2 subj 1 http://spample.iecc.com/voc/14768732 !!! from 2 subj 1 http://spample.iecc.com/sal/14778601 !!! from 1 subj 2 same http://spample.iecc.com/snw/14800456 !!! from 2 subj 1 http://spample.iecc.com/kzw/14805611 !!! from 2 subj 1 http://spample.iecc.com/kta/14837567 !!! from 1 subj 2 same http://spample.iecc.com/cuw/14844705 !!! from 2 subj 1 http://spample.iecc.com/cwf/14844706 !!! from 2 subj 1 http://spample.iecc.com/paf/14884768 !!! from 1 subj 2 same http://spample.iecc.com/qcz/14884769 !!! from 1 subj 2 same http://spample.iecc.com/fpk/14887273 !!! from 1 subj 2 same http://spample.iecc.com/eoz/14893324 !!! from 2 subj 1 http://spample.iecc.com/aas/14935218 !!! from 1 subj 2 same http://spample.iecc.com/wcs/14935821 !!! from 2 subj 1 http://spample.iecc.com/dbf/14943578 !!! from 1 subj 2 same http://spample.iecc.com/ndo/14949600 !!! from 1 subj 2 same http://spample.iecc.com/ovs/14949602 !!! from 1 subj 2 same http://spample.iecc.com/czc/14952912 !!! from 1 subj 2 same
Re: [ietf-dkim] What shows up with duplicated headers?
John R. Levine wrote: Here's another batch of spam with extra From or Subject lines. I see the same thing as last time, the extra subjects are all the same, and the extra From lines look like bugs, not attempts to evade filters. The spam with 6,981 From lines is impressive in a wacky way. R's, John SNIP wow! I definitely have to pencil in time this weekend to scan the archives (I think I have some as far as 1998) to see how pervasive was this issue. Good show john. --- HLS ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
[ietf-dkim] What shows up with duplicated headers?
Murray is of course correct that duplicated headers could be used to fool sorting programs like procmail or filtering programs. I have an archive of a lot of the spam received on my system in recent years, so I've been grepping through it looking for duplicated from and subject headers. Here's what I've found so far. The URLs below are real, and will fetch you a copy of the spam. Each line tells how many from and subject lines the message has, and same means the two subjects are the same. In this tiny sample, every duplicated subject is the same, and the duplicated froms are all similar to each other, and appear to be due to bugs in the spamware, not malicious intent. I dunno what that tells us, other than that whatever attack is enabled by duplicated headers, it doesn't appear to have happened yet. But I do share Mark's concern that it would be unfortunate if there were ways to make significant changes to the way a message renders without breaking a non-silly signature, i.e., one that covers the usual headers and the whole body. R's, John http://spample.iecc.com/uft/22579237 !!! from 2 subj 1 http://spample.iecc.com/trh/22584748 !!! from 1 subj 2 same http://spample.iecc.com/hua/22585805 !!! from 1 subj 2 same http://spample.iecc.com/jaw/22594898 !!! from 1 subj 2 same http://spample.iecc.com/jcf/22594899 !!! from 1 subj 2 same http://spample.iecc.com/kea/22594900 !!! from 1 subj 2 same http://spample.iecc.com/kgi/22594901 !!! from 1 subj 2 same http://spample.iecc.com/ljd/22594902 !!! from 1 subj 2 same http://spample.iecc.com/llm/22594903 !!! from 1 subj 2 same http://spample.iecc.com/mnh/22594904 !!! from 1 subj 2 same http://spample.iecc.com/mpp/22594905 !!! from 1 subj 2 same http://spample.iecc.com/nrk/22594906 !!! from 1 subj 2 same http://spample.iecc.com/ntt/22594907 !!! from 1 subj 2 same http://spample.iecc.com/pxx/22594909 !!! from 1 subj 2 same http://spample.iecc.com/pzr/22594910 !!! from 1 subj 2 same http://spample.iecc.com/qba/22594911 !!! from 1 subj 2 same http://spample.iecc.com/qdv/22594912 !!! from 1 subj 2 same http://spample.iecc.com/rge/22594913 !!! from 1 subj 2 same http://spample.iecc.com/riy/22594914 !!! from 1 subj 2 same http://spample.iecc.com/syh/22594915 !!! from 1 subj 2 same http://spample.iecc.com/sac/22594916 !!! from 1 subj 2 same http://spample.iecc.com/tcl/22594917 !!! from 1 subj 2 same http://spample.iecc.com/teg/22594918 !!! from 1 subj 2 same http://spample.iecc.com/ugo/22594919 !!! from 1 subj 2 same http://spample.iecc.com/uij/22594920 !!! from 1 subj 2 same http://spample.iecc.com/vks/22594921 !!! from 1 subj 2 same http://spample.iecc.com/vmn/22594922 !!! from 1 subj 2 same http://spample.iecc.com/wov/22594923 !!! from 1 subj 2 same http://spample.iecc.com/xrq/22594924 !!! from 1 subj 2 same http://spample.iecc.com/xtz/22594925 !!! from 1 subj 2 same http://spample.iecc.com/yvu/22594926 !!! from 1 subj 2 same http://spample.iecc.com/yxc/22594927 !!! from 1 subj 2 same http://spample.iecc.com/zzx/22594928 !!! from 1 subj 2 same http://spample.iecc.com/zbg/22594929 !!! from 1 subj 2 same http://spample.iecc.com/adb/22594930 !!! from 1 subj 2 same http://spample.iecc.com/afk/22594931 !!! from 1 subj 2 same http://spample.iecc.com/bhe/22594932 !!! from 1 subj 2 same http://spample.iecc.com/bjn/22594933 !!! from 1 subj 2 same http://spample.iecc.com/cli/22594934 !!! from 1 subj 2 same http://spample.iecc.com/cor/22594935 !!! from 1 subj 2 same http://spample.iecc.com/dql/22594936 !!! from 1 subj 2 same http://spample.iecc.com/dsu/22594937 !!! from 1 subj 2 same http://spample.iecc.com/eup/22594938 !!! from 1 subj 2 same http://spample.iecc.com/ewy/22594939 !!! from 1 subj 2 same http://spample.iecc.com/fys/22594940 !!! from 1 subj 2 same http://spample.iecc.com/gab/22594941 !!! from 1 subj 2 same http://spample.iecc.com/gcw/22594942 !!! from 1 subj 2 same http://spample.iecc.com/her/22594943 !!! from 1 subj 2 same http://spample.iecc.com/hga/22594944 !!! from 1 subj 2 same http://spample.iecc.com/iiu/22594945 !!! from 1 subj 2 same http://spample.iecc.com/ild/22594946 !!! from 1 subj 2 same http://spample.iecc.com/jph/22594948 !!! from 1 subj 2 same http://spample.iecc.com/krb/22594949 !!! from 1 subj 2 same http://spample.iecc.com/khk/22594950 !!! from 1 subj 2 same http://spample.iecc.com/ljf/22594951 !!! from 1 subj 2 same http://spample.iecc.com/llo/22594952 !!! from 1 subj 2 same http://spample.iecc.com/mpr/22594954 !!! from 1 subj 2 same http://spample.iecc.com/nrm/22594955 !!! from 1 subj 2 same http://spample.iecc.com/ntv/22594956 !!! from 1 subj 2 same http://spample.iecc.com/owq/22594957 !!! from 1 subj 2 same http://spample.iecc.com/pyy/22594958 !!! from 1 subj 2 same http://spample.iecc.com/pat/22594959 !!! from 1 subj 2 same http://spample.iecc.com/qcc/22594960 !!! from 1 subj 2 same http://spample.iecc.com/qex/22594961 !!! from 1 subj 2 same http://spample.iecc.com/rgf/22594962 !!! from 1 subj 2 same
Re: [ietf-dkim] What shows up with duplicated headers?
John R. Levine wrote: I dunno what that tells us, other than that whatever attack is enabled by duplicated headers, it doesn't appear to have happened yet. Maybe it has and it is the best kept secret loophole by spammers and spoofers. Maybe there should be more research into the site mail archives to see how much of this was among us fooling users for a long time. Maybe it slowed down as the larger ISPs or ESPs began to filter invalid RFC 822, 2822/5322 messages like gmail.com does now. But then again, gmail.com is relatively new entry. I can tell you that in our 25+ year old mail package which was the top 5 BBS mail packages in the 80s and early 90s never looked for this as far as I recall and only recently I added a server script to check for it after discovering why Alt-N modified their API to check for the multiple non-hashed From: headers. Alt-N input on this was they did not see any evidence of wide usage other than the fact it was a customer report and they updated their DKIM API to add a new requirement for verification - all 5322.From must be hashed. That is why the President Obama message got into here. It had two 5322.From headers which was signed by my system when it sent the message to Dave's system. Dave's system validated the double from and resigned without hesitation. However when I sent the double from without a valid signature, it barfed the message. What your research shows the problem is REAL. What we don't know is how much it has effected the end-users as part the phishing and spoofing schemes because I will venture that most systems do not check for this. Thanks to DKIM - now they will and for the legacy systems adding a DKIM standalone component, the DKIM component MUST also check for this loophole. -- Hector Santos, CTO http://www.santronics.com http://santronics.blogspot.com ___ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html